FTP是File Transfer Protocol(文件传输协议),它有两种工作模式,分别是主动模式(post)和被动模式(passive)
PORT(主动模式)
FTP客户端连接到FTP服务器的21端口,发送用户名和密码登录,登录成功后要list列表或者读取数据时,客户端随机开放一个端口(1024以上),发送 PORT命令到FTP服务器,告诉服务器客户端采用主动模式并开放端口;FTP服务器收到PORT主动模式命令和端口号后,通过服务器的20端口和客户端开放的端口连接,发送数据。
PASV(被动模式)
FTP客户端连接到FTP服务器的21端口,发送用户名和密码登录,登录成功后要list列表或者读取数据时,发送PASV命令到FTP服务器, 服务器在本地随机开放一个端口(1024以上),然后把开放的端口告诉客户端, 客户端再连接到服务器开放的端口进行数据传输。
工作在主动模式下
[root@localhost mnt]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@localhost mnt]# iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT [root@localhost mnt]# iptables -P OUTPUT DROP [root@localhost ~]# iptables -I INPUT -p tcp --dport 21 -j ACCEPT [root@localhost ~]# iptables -I OUTPUT -p tcp --sport 20:21 -j ACCEPT [root@localhost ftp]# netstat -anpt | grep vsftp tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1895/vsftpd tcp 0 0 192.168.60.20:21 192.168.60.10:13153 ESTABLISHED 2066/vsftpd
2. 工作在被动模式下
[root@localhost ftp]# vi /etc/vsftpd/vsftpd.conf pasv_enable=yes //开放FTP PASV模式; pasv_min_port=24500 //开放数据连接端口号24500—24600之间; pasv_max_port=24600 [root@localhost ftp]# service vsftpd restart 关闭 vsftpd: [确定] 为 vsftpd 启动 vsftpd: [确定] [root@localhost ftp]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh [root@localhost ftp]# iptables -I INPUT -p tcp --dport 20:21 -j ACCEPT [root@localhost ftp]# iptables -I INPUT -p tcp --dport 24500:24600 -j ACCEPT [root@localhost ftp]# iptables -I OUTPUT -p tcp --sport 21 -j ACCEPT [root@localhost ftp]# iptables -I OUTPUT -p tcp --sport 24500:24600 -j ACCEPT [root@localhost ftp]# netstat -anpt | grep vsftp tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2543/vsftpd tcp 0 0 192.168.60.20:24537 0.0.0.0:* LISTEN 2618/vsftpd tcp 0 23400 192.168.60.20:24537 192.168.60.10:13417 ESTABLISHED 2620/vsftpd tcp 0 0 192.168.60.20:21 192.168.60.10:13415 ESTABLISHED 2618/vsftpd
注意:FTP的工作模式是基于客户端而定,网上有很多这种更改模式的客户端软件(我这里使用的是CuteFtp)
本文出自 “11036610” 博客,请务必保留此出处http://11046610.blog.51cto.com/11036610/1840043
原文地址:http://11046610.blog.51cto.com/11036610/1840043